Method and apparatus for protecting internal memory from external access

ABSTRACT

Method and apparatus for protecting internal memory from external access. A method for protecting a memory space from external access is provided. A plurality of lock bits are stored in a location in memory, each associated with a separate logical portion of the memory space and determinative as to the access thereof for a predetermined operation thereon. A request is then detected for access to a location in the memory space for operating thereon. The requested operation is then compared with the associated lock bit in the associated logical portion and then it is determined if access is allowed for the requested operation. If allowed, the requested operation is performed.

CROSS REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation of pending U.S. patentapplication Ser. No. 09/901,918, filed Jul. 9, 2001, and entitled“METHOD AND APPARATUS FOR PROTECTING INTERNAL MEMORY FROM EXTERNALACCESS” (Atty. Dkt. No. CYGL-24,692), which is a Continuation-in-Part ofU.S. patent application Ser. No. 09/479,551, filed Jan. 7, 2000, andentitled “EMBEDDED MICROPROCESSOR MULTI-LEVEL SECURITY SYSTEM IN FLASHMEMORY” (Atty. Dkt. No. CYGL-24,693), issued Sep. 2, 2003 as U.S. Pat.No. 6,615,324.

TECHNICAL FIELD

The present disclosure pertains in general to memory systems and, moreparticularly, to a data protected memory system.

BACKGROUND

Currently available memory systems are typically interfaced with amicroprocessor core, which microprocessor core is operable to access anyand all locations in the memory by generating an appropriate address.The processor requires access to the memory in order to both executeinstructions and also read data from an address location or write datathereto.

In some situations, certain instructions are proprietary in nature andit is the desire of a manufacturer to protect that code. It is not theexecution of the code that is to be protected but, rather, the abilityof a user to gain access to the code, i.e., download the code, forreverse engineering thereof to determine the functionality that isembedded within the code. In systems that have provided this protectedmemory to prevent access to data or programs stored in the memory,circuitry is provided for monitoring the contents of the Program Counterand generating an inhibit signal whenever the Program Counter is at acertain value. This inhibit signal inhibits access to certain portionsof the memory.

Additionally, protection of the memory is also important to the “lock”the memory from external access. This has typically been facilitated bygenerating lock bits in predetermined locations. Once these lock bitsare set, the hardware will check a lock bit prior to allowing access toa particular section of memory. If a lock bit for that memory is set,then access to the memory for a read or write, depending upon whichfunction is locked, will be prohibited. In order to reset the lock bit,the entire memory has to be erased.

SUMMARY

The present disclosure comprises, in one aspect thereof, a method forprotecting a memory space from external access. A plurality of lock bitsare stored in a location in memory, each associated with a separatelogical portion of the memory space and determinative as to the accessthereof for a predetermined operation thereon. A request is thendetected for access to a location in the memory space for operatingthereon. The requested operation is then compared with the associatedlock bit in the associated logical portion and then it is determined ifaccess is allowed for the requested operation. If allowed, the requestedoperation is performed.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure and theadvantages thereof, reference is now made to the following descriptiontaken in conjunction with the accompanying Drawings in which:

FIG. 1 illustrates a block diagram of the overall system associated withthe present disclosed embodiment;

FIG. 2 illustrates a detailed diagram of the processor core and memorywith the associated protected control logic;

FIG. 3 illustrates a diagrammatic view of the memory map for therestricted space and user space;

FIG. 4 illustrates an exemplary flowchart illustrating a processorbetween the user space and the restricted space;

FIG. 5 illustrates a diagrammatic view of a system using the protectedmemory of the present disclosure;

FIG. 6 illustrates a more detailed block diagram of a microprocessorcore and memory with the protective logic interface;

FIG. 7 illustrates a detailed block diagram of one aspect of theprotective logic;

FIG. 8 illustrates a block diagram of another embodiment of theprotective logic;

FIG. 9 illustrates another embodiment of the protective logic;

FIG. 10 illustrates an additional embodiment of the protective logic;

FIG. 11 illustrates a diagrammatic view of the reserve space and userspace illustrating the reserved and user lock bits;

FIG. 12 illustrates a diagram of the hardware for protecting portions ofthe memory;

Responsive FIG. 13 illustrates a diagrammatic view of the association ofthe lock bits with various pages in the associated memory;

FIG. 14 illustrates a flow chart depicting the operation of reading orwriting to potentially protected portions of the memory; and

FIG. 15 illustrates a flow chart depicting erasing all or a section ofthe user space.

DETAILED DESCRIPTION

Referring now to FIG. 1, there is illustrated a top-level diagram of asystem utilizing the protected memory of the present disclosure. Anintegrated circuit 10 is provided which has disposed therein a protectedmemory 12. The protected memory 12 has associated therewith a protectedmemory region 14 and a user memory region 16. The integrated circuit 10can be interfaced to any type of application 18, which can be any typeof integrated circuit or board level device that interfaces with theintegrated circuit 10. This integrated circuit 10 could be a part of aPC board, which includes other integrated circuits or it could be astand-alone integrated circuit that contains substantially allfunctionality needed to interface with the application 18. As will bedescribed hereinbelow, the protected memory region 14 containsproprietary instructions that can be executed under the control of theuser memory region 16. However, the user cannot, through programinstructions stored in the user memory section 16, access information inthe protected memory region 14 for retrieval therefrom for the purposeof viewing the instruction code or even the data stored in the protectedmemory region 14.

Referring now to FIG. 2, there is illustrated a block diagram of theinterface between a memory block 202 and a processor core 204. Theprocessor core 204 contains general processing architecture and isoperable to generate addresses, receive data, generate various controlfunctions, etc. Typically, this will contain a Program Counter forsubstantially stepping through various instructions that are retrievedfrom the memory 202. A control logic block 206 is disposed between theprocessor core 204 and the memory 202, this having associated therewiththe various logic function to achieve the protected memory functiondescribed hereinbelow. The control logic block 206 is operable tointerpret addresses received from the processor core 204 and comparethem with information stored in a limit register 208. This limitregister 208 is either mask programmed or it is electronicallyprogrammed as a Write-Once, Read-Many (WORM) memory that allows a limitto be input to the integrated circuit 10, which limit defines theboundary between the protected memory region 14 and the user memoryregion 16. The control logic block 206, as will be described furtherhereinbelow, is operable to monitor the contents of the address bus anddetermine whether the contents of the address bus are directed towardthe operation of fetching data or attempting to fetch an instructioncode, i.e., whether the contents of the address bus constitute thecontents of the Program Counter. With this information, the controllogic block can then determine whether access is to be allowed to thememory 202. If not, some type of inhibit or other protected operation isundertaken.

Referring now to FIG. 3, there is illustrated a diagrammatic view of amemory map for the memory 202. The memory 202, as is conventional, iscomprised of a plurality of memory locations which are accessible bygenerating an address. When the address is generated, a plurality ofmemory locations are accessed which typically constitute a “byte” ofdata, although any length is anticipated. For each address generated,one byte of data will be output. The memory map of FIG. 3 represents asequence of byte locations from a lower byte location 302 to an upperbyte location 304. The memory is divided into a restricted space and auser space, the restricted space comprising memory locations 306 and theuser space comprising memory locations 308. There is one addressablememory location, memory location 310, which constitutes the boundarymemory location. The address of this boundary location constitutes anaddress that is in the restricted space 306 and which address comprisesthe “limit” for the operation, as will be described in more detailhereinbelow.

The Program Counter (PC) is basically a pointer that defines an addressfor a particular instruction to be carried out. When this ProgramCounter address is generated, it is placed onto the address bus and theinformation at that address location extracted therefrom and routed tothe processor core 204 for operations thereon. In the execution of thevarious instructions, the Program Counter may actually jump from theuser space 308 up to the restricted space 306 to execute instructionstherein. This is allowed in accordance with the embodiment herein tofacilitate executing instructions in the restricted space 306 inresponse to a “call” instruction executed in the user space 308.However, as will be further described hereinbelow, instructions in theuser space 308 cannot generate an address for the purpose of readingdata from the restricted space 306 which would allow output ofinformation stored in the restricted space from the system. Theprotective operation described herein is operable to prevent such anoperation from occurring.

Referring now to FIG. 4, there is illustrated an exemplary flowchartthat depicts operation of the system wherein the instructions jumpbetween the user space and the restricted space. In the first portion402, the flowchart is executed along a flow path which has insertedtherein a “Call” instruction in a block 406. At this instruction, theprogram is instructed to jump to the restricted space 306 by changingthe value of the Program Counter (PC) and execute instructions thereinin accordance with the new value of the PC. These blocks in theflowchart are a combination of various function blocks “Fun” anddecision blocks “D.” When the Call instruction is incurred at the block406, the program will jump to the restricted space, represented byregion 408. Of course, the Call instruction 406 must have associatedtherewith an Operand that has a Program Counter value associated with anaddressable location within the restricted space 306. Once in therestricted space at the jumped-to location, the program will beginexecution therefrom. This is represented by the various operationalblocks in the program within the region 408. Once all the instructionshave been executed in the restricted space associated with the jumped-tolocation, there will be an instruction at the end of the executableportion representing a return to the user space, indicated by a functionblock 412. This will then result in the Program Counter being returnedback to the user space, typically at the next sequential Program Countervalue as that associated with the Call instruction 406. The program willthen continue in the user space, as represented by a portion 414 of theflowchart.

By executing instructions in the user portion 402 or the user portion414 of the flowchart, the protective circuitry, as will be describedhereinbelow, prohibits any instructions from accessing an addressablelocation within the restricted space 306 for reading of informationtherein or writing of information thereto. This is facilitated byexamining the contents of the address bus and determining whether thecontents of the address bus constitute an address for the purpose ofreading or writing data or they constitute a Program Counter value forthe purpose of executing an instruction. If the program is operating inthe user space and the information placed on the address bus is that ofan address, as opposed to a Program Counter value, then the system isrestricted. However, once the program is jumped over to the restrictedspace 408 through the incrementing of the Program Counter to anaddressable location within the restricted space and placing of thatProgram Counter value on the address bus, then the operation will betransferred to the restricted space. Once in the restricted space, theprogram in the restricted space is capable of reading information froman addressable location anywhere in the memory and writing informationthereto. This, of course, will be under the control of proprietarysoftware and not under the control of user-generated software in theuser space 308.

Referring now to FIG. 5, there is illustrated a block diagram of anintegrated circuit 10 incorporating the protected memory. Amicroprocessor core 504 is provided having a Program Counter 506associated therewith. The microprocessor core 504 is interfaced with anaddress bus 508, a control bus 510 and a data bus 512. There is alsoprovided a program memory 514, the protected memory in the system, and adata memory 516. The data memory 516 can be any type of memory, avolatile memory or a non-volatile memory, for storing readily accessibledata in the such. There is also provided an input/output interface block518, which is operable to interface external circuitry with the buses508-512. The program memory 514 and the data memory 516 are alsointerfaced with the buses 508-512. However, the memory 514, theprotected memory, is interfaced with the buses 508-512 through a controllogic block 520. This control logic block 520 is operable to examineboth the address information on the address bus 508 and also theinformation in the Program Counter (or information relating thereto),which is interfaced therewith, through a Program Counter bus 522. Ofcourse, it should be understood that some of this control logic 520could be incorporated into the microprocessor core 504 and merely theresults of a comparison operation provided as a limited value output.The control logic block 520 is interfaced with a limit register 524,which is similar to the limit register 208 in that it containsinformation regarding the addressable location of the output between therestricted space 306 and the user space 308, this essentially being theaddress of the limit location 310. However, it should be understood thatmultiple limits could be provided within the restricted space providingdifferent restricted spaces. It is merely noted that the control logicblock 520 is operable to monitor the operation of the system anddetermine whether access to the memory 514 is to be allowed when thisaddress is generated. This is based upon various considerations, as willbe discussed hereinbelow.

The control logic block 520 is operable, when a determination is madethat access is to be prohibited, to take one of a number of actions. Oneaction could be to actually inhibit the address from being routed to thememory 14; one action could be to alter the address such that thedesired location is not actually addressed, but the address is forced tothe unrestricted space. Another action could be to inhibit output ofdata during that time or to output a preset data value such as an eightbit value of 00_(h). A further action is to inhibit the controlcircuitry feeding the memory. Each of these different alternatives willbe described hereinbelow. However, it should be understood that anymanner of preventing access to information within the memory, once ithas been determined that access to the restricted space is to be denied,would be anticipated by the present disclosure.

In order to describe how the system operates with respect to the ProgramCounter and the contents of the address register which can selectivelybe placed on the address bus, reference is made to the following Table1.

TABLE 1 MEM PC BUS BUS CONTENT (OPCODE) MOVEC 0001_(h) 0001_(h) PC Value(OPERAND) CD_(h) 0002_(h) 0002_(h) PC Value (DATA) FC_(h) xxxx 00CD_(h)ADDR-Allowed • • • • • • • • • • • • • • • (OPCODE) LJMP 00F1_(h)00F1_(h) PC Value (OPERAND) FE_(h) 00F2_(h) 00F2_(h) PC Value (OPERAND)FE_(h) 00F3_(h) 00F3_(h) PC Value (OPCODE) PUSH FEFE_(h) FEFE_(h) PCValue • • • • • • • • • • • • • • • (OPCODE) MOVEC FEFE_(h) FEFE_(h) PCValue (OPERAND) FF_(h) FEFF_(h) FEFF_(h) PC Value (OPERAND) FF_(h)FF00_(h) FF00_(h) PC Value (DATA) C2_(h) xxxx FFFF_(h) ADDR-Allowed • •• • • • • • • • • • • • • (OPCODE) MOVEC 00FE_(h) 00FE_(h) PC Value(OPERAND) FF_(h) FEFF_(h) C0FF_(h) PC Value (OPERAND) FF_(h) C000_(h)C000_(h) PC Value (DATA) C2_(h) xxxx FFFF_(h) ADDR-Not Allowed

In Table 1, it can be seen that there is provided the content of thememory location being addressed, the value of the Program Counter, thevalue actually placed on the address bus and the contents of the addressbus. In the first line, the Program Counter is initiated at a value of0001_(h) representing the first instructions which are initiated at thefirst location in the memory. By example, this is a move command whichis operable to control information to the access from the memory andmove to a register, such an accumulator or another location. This isreferred to as the command “MOVEC.” This constitutes the Opcode. Thesecond part of the instruction will be the Operand, which, in thisinstance, will be output when the Program Counter changes to 0002_(h).This results in the eight-bit value CD_(h) being output on the addressbus in the next operation. Therefore, for the first two steps, it can beseen that the Program Counter value can be placed onto the address busfor the purpose of addressing the memory. The eight-bit Operand CD_(h)constitutes an operation wherein this eight-bit value is appended ontoanother value, in this example, an eight-bit value of 00h to result inthe overall address value of 00CD_(h). At this point in time, theaddress bus value is an address value that is output from an addressregister and, therefore, the contents of the Program Counter are a“don't care.” As the instructions continue, the Program Counter will beincremented up to or jumped to a value of 00F1_(h). The Opcode in thememory will be a long jump command, LJMP, which requires both the highand low address values to the output over the next two increments of theProgram Counter. The first address will be a PC counter value of00F2_(h) at the value of FE_(h), and the next Program Counter incrementof 00F3h will result in an Operand of FE_(h) being output. These twoOperands are assembled as the high and low portions of the memoryaddress and placed into the Program Register as an address FEFE_(h).This constitutes a new Program Counter value which is then the subjectof some command in the memory, a PUSH command in this example, althoughit could be any type of command, the result of the overall LJMPoperation being to increment the Program Counter the value FEFE_(h) toexecute this command.

To illustrate the operation wherein a data move command is allowedwithin the restricted space, a third section of the code is illustrated.This is initiated at a program counter value of FEFE_(h) as a MOVECcommand. This is operable to, on the next two increments of the programcounter to FEFF_(h) and FF00_(h), respectively, to output the twooperands FF_(h) and FF_(h). This results in an address value of FFFF_(h)being placed onto the address bus to extract data from that location inthe restricted space, wherein the boundary between the restricted spaceand the user space is the address F000h. The system will examine thefact that the PC value on the previous operand was within the restrictedspace, but that it was an allowed operation, since the instructionoriginated within the restricted space due to the fact that the programcounter exists in the restricted space.

In a fourth section of the code, originating with a MOVEC command at anaddress of 00FE_(h) Program Counter value, an address attempt is made tothe address location FFFF_(h). If the limit between the restricted anduser space is an address location of F000h, then this would indicatethat a command originating in the user location 00FE_(h) was trying toattempt to place an address on the address bus that was in therestricted area, i.e., attempting to extract data therefrom. It can beseen by comparison of the last two sections of the code, that aninstruction originating in the restricted space accessing information inthe restricted space (or even in the user space) is allowed, whereinaccess to information in the restricted space in response to aninstruction from the user space is not allowed.

In the operation described in Table 1, a decision would be made at thepoint that the commands in the memory would result in an address beingplaced onto the address bus. It is at this point in time that the systemexamines the location within the memory of the Program Counter, and thenalso looks at the address to determine whether the address is seeking toaddress information within the user space or the restricted space. Asdescribed hereinabove and as will be further described hereinbelow inmore detail, if the Program Counter is in user space, addressinginformation in restricted space for the purpose of outputting thisinformation or examining the contents thereof will be prohibited.Alternatively, if the Program Counter is within the restricted space,i.e., executing instructions of a proprietary nature to the chip vendor,then addressing within the restricted space or the user space will bepermitted.

Referring now to FIG. 6, there is illustrated a more detailed blockdiagram of the embodiment of FIG. 2, wherein like numerals refer to likeparts in the various figures. The memory 202 is realized with a flashmemory, which has a data output port, Dout, interfaced with data outputbus 602 and a data input port, Din, interfaced with a data input bus604. There is also provided a control input CTL, which receives controlsfrom a control bus 606. The address is received on an address input viaan address bus 608. The control device 206 is comprised of a flashaccess control which is operable to interface with a TDI input bus 610,a serial bus, and provide data output on a TDO serial output bus 612.The control 206 also is interfaced with the data bus 602 such that theoutput by the memory 202 can be received thereby.

The control device 206 is operable to store the limit information andprovide that on a bus 614 to the microprocessor core 204 as the ProgramCounter limit, represented by a phantom block 616. Internal to themicroprocessor core 204, in one embodiment, the comparison operationcompares the actual value of the Program Counter with the PC limit inphantom block 616. This is output by a phantom block 618 which islabeled “PC Compare.” This is output as a signal on a signal line 620 tothe control block 206.

The control block 206 is operable to interface with, and include as partthereof, an address modifying the circuit, which is comprised in thisexample of multiplexer 622. The multiplexer 622 is operable to receive aportion of the address on an address bus 624, which address is alsoinput to the control block 206, this operation described in more detailhereinbelow. This portion of the address can be modified and output tothe multiplexer on a bus 626. The multiplexer 622 is controlled by acontrol line 628 such that the multiplexer can output the full addresson bus 624 or a modified address on a bus 626. This modified addressbasically is operable to inhibit address input to the memory 202 when itis determined that this address is the result of a program instructionthat is attempting to download or move data from the restricted portionof the memory space when the instruction code is derived from the userportion of the memory space. During operation of the memory 202, whenprogram instructions are extracted from the memory 202 in response to aProgram Counter value as an address being placed on the address bus 624,then program data will be output on the output bus 602 into a programdata input on microprocessor 4204 via the data bus 602. Further, thereis provided a register interface 630 between the control block 206 andthe microprocessor core 204. This is a flash access control functionprovided by the control block 206 and is generally a conventional accessto a flash memory. Serial data can be input to the flash memory via theinput bus 610 and data read therefrom for the purpose of programming thememory initially and for programming instruction registers in thecontrol block 206, this being a configuration operation—a conventionaloperation.

Referring now to FIG. 7, there is illustrated a detailed block diagramof one embodiment for restricting access. The microprocessor core 204has contained therein, in a simplified illustration, a Program Counter702 and an address register 704. The Program Counter 702 is operable tooutput a count value for programming instructions that will be providedit to the microprocessor logic and also provided to a comparator 706.The comparator 706 is also operable to interface through a bus 708 to auser limit register 710, this typically in the control block 206.However, this could be a limit that could be hard wired into themicroprocessor core 204 or in a completely separate register in the core204. This could even be a register within the flash memory 202 that isaccessible by a certain sequence of program instructions. In any event,once loaded, this limit is unalterable by the user and, in somesituations, by the actual vendor themselves.

The comparator 706 is operable to compare the value of the ProgramCounter with the value in the user limit register. In this manner, thecomparator will provide an output on a signal line 712 which willindicate whether the Program Counter is in the restricted or in the userspace with a public/private signal. This signal line 712 is input tologic block 714.

The address register 704 in the microprocessor 204 is output on anaddress bus 720, which has a width of N. This bus has a portion of thebits thereof extracted therefrom, there being M bits extracted therefromon a bus 722. Therefore, the bus 720 is divided into a bus 722 with Mbus lines and a bus 724 with N−M bus lines. The bus 722 is input to alogic block 714, this typically representing the upper block of memory.If there is no inhibit operation on the memory 202 to be performed dueto an attempt to access data in the restricted space while operating theprogram in the user space, then the logic 714 will pass the receivedbits on the bus 722 out onto a bus 730 to be combined with the bus 724on a bus 732. The bus 730 provides the bits M′ wherein the bus 732provides bits N′. This represents a situation wherein the bus mayactually be modified by having the upper block altered. Typically, theupper block of memory addressing bits, the M bits, will be altered inthe event of a positive decision on the signal line 712 that the ProgramCounter 702 is operating in the public area and the address outputthereof is from the address register 704 and is addressing informationin the private area. It should be understood that this exampleillustrates an address from the address register 704 where, in programsituations, the information on the address bus 720 is from the ProgramCounter 702. This is not illustrated for simplicity purposes. However,the conduct of the address bus 720 is typically selected by amultiplexer (not shown) that selects either the output of the addressregister 704 or the output Program Counter 702.

Referring now to FIG. 8, there is illustrated a block diagram of analternate embodiment for inhibiting access to the memory 202 whenever aninstruction executed in the user space attempts to access data in therestricted space, it being understood that a jump to a programinstruction in the restricted space is allowed from the user space. Inthe microprocessor core 204, there is provided a multiplexer 802 that isoperable to interface between the address register 704 and the ProgramCounter 702. The Program Counter 702 provides an output therefrom on abus 804 to one input of the multiplexer 802, whereas the output of theaddress register is input to the other input of the multiplexer 802through a second bus 806. The output of the multiplexer comprises anaddress bus output that is connected to an address bus 810 that isconnected to the address input of the memory 202. The multiplexer 802receives a PC select signal on an internal line 812 within themicroprocessor core 204. This also is a conventional output provided bythe microprocessor core 204 on a signal line 814. This line 814indicates whether the PC register 702 is selected or the addressregister 704 is selected.

The contents of the address bus 810 are compared with that of the userlimit register 710 with a comparator 818. This comparator 818 determineswhether the address is in the public or private region of the addressspace, i.e., the user or restricted space, respectively. The output ofthis comparison operation is input to a logic block 820 which alsoreceives the signal on the signal line 814. This logic block 820provides an output indicating a positive decision whenever it isdetermined that the contents of the PC register 702 are not output onthe bus 810, i.e., the contents of the address register 704 output onthe address bus 810 and that the address is above the limit in the limitregister 710. This positive result indicates an unauthorized attempt toaccess the memory 202 in the restricted space. A signal is output on aline 824 to a multiplexer 826, which multiplexer 826 will select eitherthe data output of the memory 202 or a value of 0000h, a “null” value.For a positive result, the null value is selected for input to thememory 204 on the program data input via a bus 828. Logic block 820, inthe alternate operational mode in the restricted space, can determinethat the Program Counter value is selected for output on the bus 810 andthat the Program Counter value is in the restricted address space. Thisindicates a program instruction that is generated by the program in therestricted space. This is latched by the logic block 820, since thecomparator 818 will indicate this as being in the private region.Therefore, an indication on the line 814 that the Program Counter 702 isselected by the multiplexer 802 and that the information on the addressbus 810 is in the private or restricted space is latched such that, if asubsequent instruction indicates that the contents of the addressregister 704 are selected, i.e., the signal line 814 indicates that theaddress register is selected, and that the address is attempting toaddress information in the memory 202, this will be allowed due to thefact that the previous program instruction was generated by programinstructions in the restricted space.

A Verilog output is provided representing the operation wherein accessto data in the memory with an address that is greater than the readlimit resulting from the program instruction executed in the readerspace:

wire addr_gt_readlimit = (mem_addr> {4 ′ h7, read-limit, 4 ′ hf});always @ (posedge clk or posedge rst) if (rst) user_code_executing <= 0;else if (pc_valid) user_code_executing <= ^(~)addr_gt_readlimit; assign^(~)core-reset & ^(~)suspend  // uP access that read_limit_exceeded = is ^(~)mem_psenb & // a read cycle, by user_code_executing // user codethat & is not ^(~)pc_valid & // an instruction fetch addr_gt_readlimit;*---------------------------------------------mem_rdataMux----------------------------------------*/ // // if either a S/W readaccess exceeds the “read_limit” or the JTAG // port trys to read a“read_locked” region - the security H/W will mux // ZEROs onto the“security_dout” bus // assign security_dout = read_limit_exceeded ?8 ’h00 // output all zeros : dout; // read data from flash

Referring now to FIG. 9, there is illustrated a block diagram of analternate embodiment. In the embodiment of FIG. 9, the contents of theProgram Counter 702 are output to a comparator 902 which compares theinformation thereof with the contents of the limit register 710 todetermine if the Program Counter value is in a public or private region.Similarly, the contents of the address bus 810 are compared with acomparator 904 with a limit in the limit register 710. The limitregister 710 is illustrated as two registers for simplicity purposes, todetermine if the contents of the address register are in the public orprivate region. The output of both comparators 902 and 904 are input tothe logic block 906. Logic block 906 determines whether the ProgramCounter is in the private or public area and also determines whether theinformation in the address bus 810 is in the public or private area. Ifit is determined that the Program Counter 702 is operating in theprivate area and that the information in the address bus 810 isoperating in the private area, then the multiplexer will allow data toflow therethrough, since the logic block 906 can determine that theaddress is the result of a previous Program Counter instruction in theprivate area or restricted area. However, when it is determined that theProgram Counter is in the public area, the user area, and the address isan address value from address register 704 and this is in the restrictedor private area, then the logic block 906 will control the multiplexerto select the null value.

Referring now to FIG. 10, there is illustrated a view of an alternateembodiment for inhibiting the memory operation. In this simplifiedembodiment, there is provided a control block or logic block 1002 thatis operable to receive the output of the Program Counter on a bus 1004and the address bus on an address bus 1006. The logic block 1002compares this with information in the limit register 710 to determinewhat type of operation is being performed, i.e., a program instructionor a memory access instruction, and where in the memory map the addressresides. This was described hereinabove. In this embodiment, there isprovided an inhibit circuit 1010 that is operable to inhibit aread/write operation to memory 202 in the event that the logic block1002 makes a determination that this is a restricted operation.

Referring now to FIG. 11, there is illustrated a diagrammatic view ofthe memory, which, as described hereinabove is incorporated in FLASH. Asnoted hereinabove, the memory is divided into a reserved space 1102 andinto a user space 1104. The reserved space is, as described hereinabove,protected from reading by the user and is used primarily for executinginstructions. The user space, on the other hand, is space which the usercan utilize for execution of user defined functions and for reading ofdata therefrom or for writing of data thereto.

In addition to the above noted operations of the reserved space and theuser space, there is also the provision for protecting all or a portionof the reserved space or the user space from reading or writing, aftercreation thereof. This utilizes lock bits which are stored in a reservelock byte 1106 in the reserve space 1102 for locking all or a portion ofthe reserve space, and in a user lock byte 1108 in the user space 1104,which is associated with all or a portion of the user space 1104. Thereserve lock bits in the lock byte 1106 each are associated with a pageof the reserve space 1102. Once set to a logic “0,” this particular pageand all addressable locations therein is locked and cannot be unlockedwithout erasure of the page. Similarly, the user lock byte contains userlock bits each associated with a page in the user space 1104. Once thelock bit has been set to a logic “0” for that page, access thereto forreading or writing/erasure is prohibited. It should be noted that thelock bit can be associated with reading or writing/erasure. It is alsonoted that each of the reserve lock byte 1106 and user lock byte 1108 iscomprised of two bytes, one for reading and one for writing/erasing.This is illustrated a lock byte 1110 for locking read operations inselect portions of the reserve space 1102 and a lock byte 1112 forlocking write/erase operations in the reserve space. A lock byte 1114 isassociated with locking read operations in the user space and a lockbyte 1116 is associated with locking write/erase operations in the userspace.

It is noted that the user lock byte 1108 is disposed at the upperportion of the user space which upper portion is defined by the userlimit 1118, this being a variable location. This value is typicallystored somewhere in the reserve space, typically in the upper portion ofthe memory in a reserve space 1102, a known location and not variable.This is typically associated with a number of different vectors definingvarious operations in the user space. By reading this value from theuser space, the system then knows where the user limit is andsubsequently, where the user lock byte resides. The user lock byte andthe reserve lock byte are always located in the upper portion of theassociated space.

As will be described hereinbelow, the user space lock byte is erased byerasing one logical block of memory at a time, i.e., a page, beginningat the lower end thereof until the user lock byte 1108 is erased. Toerase the reserve space lock byte, the entire memory must be erased.However, a single sector or page can be erased in either section if itis not locked.

Referring now to FIG. 12, there is illustrated a diagrammatic view ofthe hardware for implementing the external user access protection viathe lock bytes. The FLASH memory is illustrated by a memory 1202, whichis operable to receive read/write control operations via a control line1204 in the form of a bus from a control state machine 1206.Additionally, an address received from an address bus 1208 and data isoutput on a data bus 1210. The controls that are input into the FLASH1202 are facilitated by external access which requires an externalinterface. As described hereinabove, the access is through a JTAG testport standard, which is a serial communication protocol. The accesscommands that are available are a READ operation which will allow asingle memory byte to be read, a WRITE operation which will allow asingle memory byte to be read and erase sector operation which willallow a memory sector to be defined by the memory architecture and to beerased, this the logical sector such as a page. The ability to read abyte, write a byte or erase a particular sector is a lockable function.Additionally, commands are available to allow the entire user memoryspace to be erased, a command to allow the entire reserve space to beerased or a command to erase the entire program memory. All of thesecommands can be encoded as a single byte followed by an address and databytes, as required for a particular microprocessor architecture.

The control state machine can receive either a READ request, a WRITErequest, a page erase request or a user space erase request, in additionto an entire memory erase command. In order to execute these commands,it is necessary to access the various lock bytes, the limit address andthe such. A multiplexer 1210 is provided which is controlled by thecontrol state machine 1206 to select various addresses. These addressesare the user limit address, which defines where the user lock bytes arestored, which is facilitated by accessing the memory 1202 at the upperaddress therein where the limit address is stored, reading thisinformation and then storing this information in a user limit register1212. It is noted that the location of the lock byte for the user spaceis hard coded as being at a predetermined address in the top pagetherein and, in the preferred embodiment, in the top two bytes therein.The reserve read and write/erase lock address is a value that is hardcoded in the hardware and is provided as an input to the multiplexer1210, this being the top of the memory space and a known and fixedvalue. The user lock address determined from the user limit address isprovided in addition to a general user address, this being the addressthat a user inputs into the memory. In addition, the multiplexer 1210receives the output of a page counter 1214 which counts pages in theuser space as will be described hereinbelow.

When the lock bits are read for either the user space or the reservedspace, they are stored in a register 1214 for use by the control statemachine. Additionally, the user limit register 1212 is loaded initiallyby the control state machine by reading the upper addressable locationin the memory. In order to read the lock bits, the lock bits for thereserve space are read by selecting the reserve read/write lock addresswith the multiplexer 1210 and, for the user space, selecting the userlimit address.

When erasing the user lock byte in the user space, it is necessary toerase the lower pages of memory first, since the memory is organized inlogical blocks of 512 bytes. These logical pages must be erased one at atime and, as such, one cannot erase the memory location containing theuser lock byte until all lower pages or blocks have been erased.Therefore, the counter is utilized to begin erasing the lower page firstup to the upper page. A comparator 1220 is provided for comparing theuser limit address value with the value in the page counter, thisconstituting the upper address in the page. When the page counterexceeds this value, then the page counter is stopped, this being acontrol signal output by the comparator 1220.

Referring now to FIG. 13, there is illustrated a diagrammatic view ofhow each of the lock bytes and the bits associated therewith areassociated with various logical pages or sectors in the memory. Asection of the memory, being the reserved or the user section, isillustrated as a section 1302. The section 1302 is divided into eightpages 1304 labeled Page 0-Page 7. A lock byte 1306 is provided which hasseven bits. It should be understood that there will be two lock bytes,one for READ and one for WRITE/ERASE, although only one is illustrated.A lock byte has eight bits associated therewith. Each bit is associatedwith one of the pages 1304 of the memory. However, although beingillustrated as eight bits in eight sectors, there may in fact be lesssectors. There may in fact be one of the lock bits that is associatedwith a different function and not necessarily with locking a particularsector of memory. As such, it is possible for only portions of thememory to be locked as opposed to the entire memory.

Referring now to FIG. 14, there is illustrated a flow chart depictingthe operation of reading or writing to a particular memory location orerasing a page. The program is initiated at a block 1402 and thenproceeds to a block 1404 to read the user limit and then load theregister 1212. The control state machine 1206 then reads the appropriatelock byte 1106 or 1108, depending upon whether the addressed location isin the reserve space 1102 or the user space 1104, respectively, it beingunderstood that this comprises both of the lock bytes 1114 and 1116 forthe user space 1104 and both of the lock bytes 1110 and 1112 for thereserve space 1102, this indicated by a function block 1406, it beingunderstood that only a single lock byte will be read depending uponwhether it is a READ or a WRITE operation. This information is then sentto the control state machine 1206, as indicated by block 1408. Adecision is then made at a decision block 1410 to determine if theparticular address defined by the user address is locked. If so, thenthe operation will fail, as indicated by fail block 1411, and useraccess will be inhibited for a READ, a WRITE or page erase dependingupon the function locked. However, if it is not locked, then theparticular READ or WRITE operation or page erase operation can beperformed as indicated by function block 1412. The program then flows toa function block 1414.

Referring now to FIG. 15, there is illustrated a flow chart depictingthe operation of erasing the user space. Whenever the entire user spaceis to be erased, as described hereinabove, the bottom pages must beerased first. The program is initiated at a block 1502 and then proceedsto a block 1504 to read the user limit and then to block 1506 to readthe lock byte at the user limit. The program then initiates a startcounter as indicated by a block 1508 at Page 0. The program then flowsto function block 1510 to erase this block of memory and into a block1512 to increment the page counter. A decision is then made at adecision block 1516 as to whether the user limit has been exceeded,i.e., the address is in the reserve space. If not, then this particularpage is erased by flowing back to the input of function block 1510.However, once the counter has been incremented past the user limit, thenthe program will flow from the decision block 1516 along the “Y” path toa function block 1518 to stop the counter and then to function block1520 to an END block. As noted, the entire user space can be erased orjust one sector in the user space. This selective access to portions ofa space with a single lock byte provides an increased versatility to thesystem.

Although the preferred embodiment has been described in detail, itshould be understood that various changes, substitutions and alterationscan be made therein without departing from the spirit and scope of thedisclosure as defined by the appended claims.

1. A method for protecting a memory space from external access,comprising the steps of: storing in a location in memory a plurality oflock bits, each associated with a separate logical portion of the memoryspace and determinative as to the access thereof for a predeterminedmemory access operation thereon; detecting a request for access to adesired location in the memory space for operating thereon; comparingthe requested memory access operation with the associated lock bit inthe associated logical portion and determining if access is allowed forthe requested memory access operation; and if allowed, performing therequested memory access operation on the desired location in the memoryspace.
 2. The method of claim 1, wherein the predetermined operation isa read of an addressable location in the associated logical portion. 3.The method of claim 1, wherein the predetermined operation is a write ofan addressable location in the associated logical portion.
 4. The methodof claim 1, wherein the predetermined operation is an erase of theassociated logical portion for an addressable location therein.
 5. Themethod of claim 1, wherein the step of storing in a location theplurality of lock bits comprises storing in a variable location in thememory the plurality of lock bits and storing the lock bit location in aknown location in the memory, such that in the step of comparing, thelocation of the lock bits is first read from the memory and then thelock bits read from the memory.
 6. The method of claim 5, wherein thepredetermined operation is an erase of the lock bits.
 7. The method ofclaim 6, wherein the predetermined operation of erasing the lock bitsrequires that each of an associated lower logical portion of the memoryhaving a relatively lower logical memory address and not containing lockbits be erased before a top most portion of memory having a relativelyhigher logical address than the lower logical portion is erased, whichtop most portion of the memory contains the lock bits.